<?php

// Copyright (C) 2013-2024 Combodo SAS
//
//   This file is part of iTop.
//
//   iTop is free software; you can redistribute it and/or modify
//   it under the terms of the GNU Affero General Public License as published by
//   the Free Software Foundation, either version 3 of the License, or
//   (at your option) any later version.
//
//   iTop is distributed in the hope that it will be useful,
//   but WITHOUT ANY WARRANTY; without even the implied warranty of
//   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
//   GNU Affero General Public License for more details.
//
//   You should have received a copy of the GNU Affero General Public License
//   along with iTop. If not, see <http://www.gnu.org/licenses/>

/**
 * REST/json services
 *
 * Definition of common structures + the very minimum service provider (manage objects)
 *
 * @package     REST Services
 * @copyright   Copyright (C) 2024 Combodo SAS
 * @license     http://opensource.org/licenses/AGPL-3.0
 * @api
 */

/**
 * Element of the response formed by RestResultWithObjects
 *
 * @package     RESTAPI
 * @api
 */
class ObjectResult
{
	/**
	 * @var string
	 * @api
	 */
	use SanitizeTrait;
	/**
	 * @var int
	 * @api
	 */
	public $code;

	public $message;
	/**
	 * @var mixed|null
	 * @api
	 */
	public $class;
	/**
	 * @var mixed|null
	 * @api
	 */
	public $key;
	/**
	 * @var array
	 * @api
	 */
	public $fields;

	/**
	 * Default constructor
	 * @api
	 */
	public function __construct($sClass = null, $iId = null)
	{
		$this->code = RestResult::OK;
		$this->message = '';
		$this->class = $sClass;
		$this->key = $iId;
		$this->fields = [];
	}

	/**
	 * Creates an ObjectResult from a DBObject.
	 *
	 * @param DBObject $oObj The object.
	 * @param array|null $aFieldSpec An array of class => attribute codes (Cf. RestUtils::GetFieldList). List of the attributes to be reported.
	 * @param boolean $bExtendedOutput Output all of the link set attributes ?
	 * @param integer $iCode An error code (RestResult::OK is no issue has been found)
	 * @param string $sMessage Description of the error if any, an empty string otherwise
	 *
	 * @return ObjectResult
	 */
	public static function FromDBObject(DBObject $oObj, ?array $aFieldSpec = null, $bExtendedOutput = false, $iCode = 0, $sMessage = ''): ObjectResult
	{

		$oObjRes = new ObjectResult($oObj::class, $oObj->GetKey());
		$oObjRes->code = $iCode;
		$oObjRes->message = $sMessage;

		$aFields = null;
		if (!is_null($aFieldSpec)) {
			// Enum all classes in the hierarchy, starting with the current one
			foreach (MetaModel::EnumParentClasses($oObj::class, ENUM_PARENT_CLASSES_ALL, false) as $sRefClass) {
				if (array_key_exists($sRefClass, $aFieldSpec)) {
					$aFields = $aFieldSpec[$sRefClass];
					break;
				}
			}
		}
		if (is_null($aFields)) {
			// No fieldspec given, or not found...
			$aFields = ['id', 'friendlyname'];
		}

		foreach ($aFields as $sAttCode) {
			$oObjRes->AddField($oObj, $sAttCode, $bExtendedOutput);
		}

		return $oObjRes;

	}

	/**
	 * Helper to make an output value for a given attribute
	 *
	 * @api
	 * @param DBObject $oObject The object being reported
	 * @param string $sAttCode The attribute code (must be valid)
	 * @param boolean $bExtendedOutput Output all of the link set attributes ?
	 *
	 * @return string A scalar representation of the value
	 * @throws \ArchivedObjectException
	 * @throws \CoreException
	 * @throws \CoreUnexpectedValue
	 * @throws \MySQLException
	 */
	protected function MakeResultValue(DBObject $oObject, $sAttCode, $bExtendedOutput = false)
	{
		if ($sAttCode == 'id') {
			$value = $oObject->GetKey();
		} else {
			$sClass = get_class($oObject);
			$oAttDef = MetaModel::GetAttributeDef($sClass, $sAttCode);
			if ($oAttDef instanceof AttributeLinkedSet) {
				// Iterate on the set and build an array of array of attcode=>value
				$oSet = $oObject->Get($sAttCode);
				$value = [];
				while ($oLnk = $oSet->Fetch()) {
					$sLnkRefClass = $bExtendedOutput ? get_class($oLnk) : $oAttDef->GetLinkedClass();

					$aLnkValues = [];
					foreach (MetaModel::ListAttributeDefs($sLnkRefClass) as $sLnkAttCode => $oLnkAttDef) {
						// Skip attributes pointing to the current object (redundant data)
						if ($sLnkAttCode == $oAttDef->GetExtKeyToMe()) {
							continue;
						}
						// Skip any attribute of the link that points to the current object
						$oLnkAttDef = MetaModel::GetAttributeDef($sLnkRefClass, $sLnkAttCode);
						if (method_exists($oLnkAttDef, 'GetKeyAttCode')) {
							if ($oLnkAttDef->GetKeyAttCode() == $oAttDef->GetExtKeyToMe()) {
								continue;
							}
						}

						$aLnkValues[$sLnkAttCode] = $this->MakeResultValue($oLnk, $sLnkAttCode, $bExtendedOutput);
					}
					$value[] = $aLnkValues;
				}
			} else {
				$value = $oAttDef->GetForJSON($oObject->Get($sAttCode));
			}
		}
		return $value;
	}

	/**
	 * Report the value for the given object attribute
	 *
	 * @api
	 * @param DBObject $oObject The object being reported
	 * @param string $sAttCode The attribute code (must be valid)
	 * @param boolean $bExtendedOutput Output all of the link set attributes ?
	 *
	 * @return void
	 * @throws \ArchivedObjectException
	 * @throws \CoreException
	 * @throws \CoreUnexpectedValue
	 * @throws \MySQLException
	 */
	public function AddField(DBObject $oObject, $sAttCode, $bExtendedOutput = false)
	{
		$this->fields[$sAttCode] = $this->MakeResultValue($oObject, $sAttCode, $bExtendedOutput);
	}

	public function SanitizeContent()
	{
		foreach ($this->fields as $sFieldAttCode => $fieldValue) {
			try {
				$oAttDef = MetaModel::GetAttributeDef($this->class, $sFieldAttCode);
			} catch (Exception $e) { // for special cases like ID
				continue;
			}
			$this->SanitizeFieldIfSensitive($this->fields, $sFieldAttCode, $fieldValue, $oAttDef);
		}
	}
}

/**
 * REST response for services managing objects. Derive this structure to add information and/or constants
 *
 * @package RESTAPI
 * @api
 */
class RestResultWithObjects extends RestResult
{
	/** @var array "DBObject_class:DBObject_key" as key, {@see \ObjectResult} as value */
	public $objects;

	/**
	 * Report the given object
	 *
	 * @api
	 * @param int $iCode An error code (RestResult::OK is no issue has been found)
	 * @param string $sMessage Description of the error if any, an empty string otherwise
	 * @param DBObject $oObject The object being reported
	 * @param array|null $aFieldSpec An array of class => attribute codes (Cf. RestUtils::GetFieldList). List of the attributes to be reported.
	 * @param boolean $bExtendedOutput Output all of the link set attributes ?
	 *
	 * @return void
	 * @throws \ArchivedObjectException
	 * @throws \CoreException
	 * @throws \CoreUnexpectedValue
	 * @throws \MySQLException
	 */
	public function AddObject($iCode, $sMessage, $oObject, $aFieldSpec = null, $bExtendedOutput = false)
	{
		$oObjRes = ObjectResult::FromDBObject($oObject, $aFieldSpec, $bExtendedOutput, $iCode, $sMessage);

		$sObjKey = get_class($oObject).'::'.$oObject->GetKey();
		$this->objects[$sObjKey] = $oObjRes;
	}

	public function SanitizeContent()
	{
		parent::SanitizeContent();

		foreach ($this->objects as $sObjKey => $oObjRes) {
			$oObjRes->SanitizeContent();
		}
	}
}

/**
 * @package RESTAPI
 * @api
 */
class RestResultWithRelations extends RestResultWithObjects
{
	public $relations;

	/**
	 * @api
	 */
	public function __construct()
	{
		parent::__construct();
		$this->relations = [];
	}

	/**
	 * @param $sSrcKey
	 * @param $sDestKey
	 *
	 * @return void
	 * @api
	 */
	public function AddRelation($sSrcKey, $sDestKey)
	{
		if (!array_key_exists($sSrcKey, $this->relations)) {
			$this->relations[$sSrcKey] = [];
		}
		$this->relations[$sSrcKey][] = ['key' => $sDestKey];
	}
}

/**
 * Deletion result codes for a target object (either deleted or updated)
 *
 * @package     RESTAPI
 * @api
 * @since 2.0.1
 */
class RestDelete
{
	/**
	 * Result: Object deleted as per the initial request
	 * @api
	 */
	public const OK = 0;
	/**
	 * Result: general issue (user rights or ... ?)
	 * @api
	 */
	public const ISSUE = 1;
	/**
	 * Result: Must be deleted to preserve database integrity
	 * @api
	 */
	public const AUTO_DELETE = 2;
	/**
	 * Result: Must be deleted to preserve database integrity, but that is NOT possible
	 * @api
	 */
	public const AUTO_DELETE_ISSUE = 3;
	/**
	 * Result: Must be deleted to preserve database integrity, but this must be requested explicitly
	 * @api
	 */
	public const REQUEST_EXPLICITELY = 4;
	/**
	 * Result: Must be updated to preserve database integrity
	 * @api
	 */
	public const AUTO_UPDATE = 5;
	/**
	 * Result: Must be updated to preserve database integrity, but that is NOT possible
	 * @api
	 */
	public const AUTO_UPDATE_ISSUE = 6;
}

/**
 * Implementation of core REST services (create/get/update... objects)
 *
 * @package     Core
 */
class CoreServices implements iRestServiceProvider, iRestInputSanitizer
{
	use SanitizeTrait;
	/**
	 * Enumerate services delivered by this class
	 *
	 * @param string $sVersion The version (e.g. 1.0) supported by the services
	 * @return array An array of hash 'verb' => verb, 'description' => description
	 */
	public function ListOperations($sVersion)
	{
		// 1.4 - iTop 2.5.2, 2.6.1, 2.7.0, Verb 'core/get': added pagination parameters limit and page
		// 1.3 - iTop 2.2.0, Verb 'get_related': added the options 'redundancy' and 'direction' to take into account the redundancy in the impact analysis
		// 1.2 - was documented in the wiki but never released ! Same as 1.3
		// 1.1 - In the reply, objects have a 'key' entry so that it is no more necessary to split class::key programmaticaly
		// 1.0 - Initial implementation in iTop 2.0.1
		//
		$aOps = [];
		if (in_array($sVersion, ['1.0', '1.1', '1.2', '1.3', '1.4'])) {
			$aOps[] = [
				'verb' => 'core/create',
				'description' => 'Create an object',
			];
			$aOps[] = [
				'verb' => 'core/update',
				'description' => 'Update an object',
			];
			$aOps[] = [
				'verb' => 'core/apply_stimulus',
				'description' => 'Apply a stimulus to change the state of an object',
			];
			$aOps[] = [
				'verb' => 'core/get',
				'description' => 'Search for objects',
			];
			$aOps[] = [
				'verb' => 'core/delete',
				'description' => 'Delete objects',
			];
			$aOps[] = [
				'verb' => 'core/get_related',
				'description' => 'Get related objects through the specified relation',
			];
			$aOps[] = [
				'verb' => 'core/check_credentials',
				'description' => 'Check user credentials',
			];
		}
		return $aOps;
	}

	/**
	 * Enumerate services delivered by this class
	 *
	 * @param string $sVersion The version (e.g. 1.0) supported by the services
	 * @param string $sVerb
	 * @param object $aParams
	 *
	 * @return RestResult The standardized result structure (at least a message)
	 * @throws \CoreException
	 * @throws \CoreUnexpectedValue
	 * @throws \SimpleGraphException
	 * @throws \Exception
	 */
	public function ExecOperation($sVersion, $sVerb, $aParams)
	{
		$oResult = new RestResultWithObjects();
		switch ($sVerb) {
			case 'core/create':
				RestUtils::InitTrackingComment($aParams);
				$sClass = RestUtils::GetClass($aParams, 'class');
				$aFields = RestUtils::GetMandatoryParam($aParams, 'fields');
				$aShowFields = RestUtils::GetFieldList($sClass, $aParams, 'output_fields');
				$bExtendedOutput = (RestUtils::GetOptionalParam($aParams, 'output_fields', '*') == '*+');

				if (UserRights::IsActionAllowed($sClass, UR_ACTION_MODIFY) != UR_ALLOWED_YES) {
					$oResult->code = RestResult::UNAUTHORIZED;
					$oResult->message = "The current user does not have enough permissions for creating data of class $sClass";
				} elseif (UserRights::IsActionAllowed($sClass, UR_ACTION_BULK_MODIFY) != UR_ALLOWED_YES) {
					$oResult->code = RestResult::UNAUTHORIZED;
					$oResult->message = "The current user does not have enough permissions for massively creating data of class $sClass";
				} else {
					$oObject = RestUtils::MakeObjectFromFields($sClass, $aFields);
					$oObject->DBInsert();
					$oResult->AddObject(0, 'created', $oObject, $aShowFields, $bExtendedOutput);
				}
				break;

			case 'core/update':
				RestUtils::InitTrackingComment($aParams);
				$sClass = RestUtils::GetClass($aParams, 'class');
				$key = RestUtils::GetMandatoryParam($aParams, 'key');
				$aFields = RestUtils::GetMandatoryParam($aParams, 'fields');
				$aShowFields = RestUtils::GetFieldList($sClass, $aParams, 'output_fields');
				$bExtendedOutput = (RestUtils::GetOptionalParam($aParams, 'output_fields', '*') == '*+');

				// Note: the target class cannot be based on the result of FindObjectFromKey, because in case the user does not have read access, that function already fails with msg 'Nothing found'
				$sTargetClass = RestUtils::GetObjectSetFromKey($sClass, $key)->GetFilter()->GetClass();
				if (UserRights::IsActionAllowed($sTargetClass, UR_ACTION_MODIFY) != UR_ALLOWED_YES) {
					$oResult->code = RestResult::UNAUTHORIZED;
					$oResult->message = "The current user does not have enough permissions for modifying data of class $sTargetClass";
				} elseif (UserRights::IsActionAllowed($sTargetClass, UR_ACTION_MODIFY) != UR_ALLOWED_YES) {
					$oResult->code = RestResult::UNAUTHORIZED;
					$oResult->message = "The current user does not have enough permissions for massively modifying data of class $sTargetClass";
				} else {
					$oObject = RestUtils::FindObjectFromKey($sClass, $key);
					RestUtils::UpdateObjectFromFields($oObject, $aFields);
					$oObject->DBUpdate();
					$oResult->AddObject(0, 'updated', $oObject, $aShowFields, $bExtendedOutput);
				}
				break;

			case 'core/apply_stimulus':
				RestUtils::InitTrackingComment($aParams);
				$sClass = RestUtils::GetClass($aParams, 'class');
				$key = RestUtils::GetMandatoryParam($aParams, 'key');
				$aFields = RestUtils::GetMandatoryParam($aParams, 'fields');
				$aShowFields = RestUtils::GetFieldList($sClass, $aParams, 'output_fields');
				$bExtendedOutput = (RestUtils::GetOptionalParam($aParams, 'output_fields', '*') == '*+');
				$sStimulus = RestUtils::GetMandatoryParam($aParams, 'stimulus');

				// Note: the target class cannot be based on the result of FindObjectFromKey, because in case the user does not have read access, that function already fails with msg 'Nothing found'
				$sTargetClass = RestUtils::GetObjectSetFromKey($sClass, $key)->GetFilter()->GetClass();
				if (UserRights::IsActionAllowed($sTargetClass, UR_ACTION_MODIFY) != UR_ALLOWED_YES) {
					$oResult->code = RestResult::UNAUTHORIZED;
					$oResult->message = "The current user does not have enough permissions for modifying data of class $sTargetClass";
				} elseif (UserRights::IsActionAllowed($sTargetClass, UR_ACTION_BULK_MODIFY) != UR_ALLOWED_YES) {
					$oResult->code = RestResult::UNAUTHORIZED;
					$oResult->message = "The current user does not have enough permissions for massively modifying data of class $sTargetClass";
				} else {
					$oObject = RestUtils::FindObjectFromKey($sClass, $key);
					RestUtils::UpdateObjectFromFields($oObject, $aFields);

					$aTransitions = $oObject->EnumTransitions();
					$aStimuli = MetaModel::EnumStimuli(get_class($oObject));
					if (!isset($aTransitions[$sStimulus])) {
						// Invalid stimulus
						$oResult->code = RestResult::INTERNAL_ERROR;
						$oResult->message = "Invalid stimulus: '$sStimulus' on the object ".$oObject->GetName()." in state '".$oObject->GetState()."'";
					} else {
						$aTransition = $aTransitions[$sStimulus];
						$sTargetState = $aTransition['target_state'];
						$aStates = MetaModel::EnumStates($sClass);
						$aTargetStateDef = $aStates[$sTargetState];
						$aExpectedAttributes = $aTargetStateDef['attribute_list'];

						$aMissingMandatory = [];
						foreach ($aExpectedAttributes as $sAttCode => $iExpectCode) {
							if (($iExpectCode & OPT_ATT_MANDATORY) && ($oObject->Get($sAttCode) == '')) {
								$aMissingMandatory[] = $sAttCode;
							}
						}
						if (count($aMissingMandatory) == 0) {
							// If all the mandatory fields are already present, just apply the transition silently...
							if ($oObject->ApplyStimulus($sStimulus)) {
								$oObject->DBUpdate();
								$oResult->AddObject(0, 'updated', $oObject, $aShowFields, $bExtendedOutput);
							}
						} else {
							// Missing mandatory attributes for the transition
							$oResult->code = RestResult::INTERNAL_ERROR;
							$oResult->message = 'Missing mandatory attribute(s) for applying the stimulus: '.implode(', ', $aMissingMandatory).'.';
						}
					}
				}
				break;

			case 'core/get':
				$sClass = RestUtils::GetClass($aParams, 'class');
				$key = RestUtils::GetMandatoryParam($aParams, 'key');
				$aShowFields = RestUtils::GetFieldList($sClass, $aParams, 'output_fields');
				$bExtendedOutput = (RestUtils::GetOptionalParam($aParams, 'output_fields', '*') == '*+');
				$iLimit = (int)RestUtils::GetOptionalParam($aParams, 'limit', 0);
				$iPage = (int)RestUtils::GetOptionalParam($aParams, 'page', 1);

				$oObjectSet = RestUtils::GetObjectSetFromKey($sClass, $key, $iLimit, self::getOffsetFromLimitAndPage($iLimit, $iPage));
				$sTargetClass = $oObjectSet->GetFilter()->GetClass();

				if (UserRights::IsActionAllowed($sTargetClass, UR_ACTION_READ) != UR_ALLOWED_YES) {
					$oResult->code = RestResult::UNAUTHORIZED;
					$oResult->message = "The current user does not have enough permissions for reading data of class $sTargetClass";
				} elseif (UserRights::IsActionAllowed($sTargetClass, UR_ACTION_BULK_READ) != UR_ALLOWED_YES) {
					$oResult->code = RestResult::UNAUTHORIZED;
					$oResult->message = "The current user does not have enough permissions for exporting data of class $sTargetClass";
				} elseif ($iPage < 1) {
					$oResult->code = RestResult::INVALID_PAGE;
					$oResult->message = "The request page number is not valid. It must be an integer greater than 0";
				} else {
					if (!$bExtendedOutput && RestUtils::GetOptionalParam($aParams, 'output_fields', '*') != '*') {
						$aFields = $aShowFields[$sClass];
						//Id is not a valid attribute to optimize
						if (in_array('id', $aFields)) {
							unset($aFields[array_search('id', $aFields)]);
						}
						$aAttToLoad = [$oObjectSet->GetClassAlias() => $aFields];
						$oObjectSet->OptimizeColumnLoad($aAttToLoad);
					}

					while ($oObject = $oObjectSet->Fetch()) {
						$oResult->AddObject(0, '', $oObject, $aShowFields, $bExtendedOutput);
					}
					$oResult->message = "Found: ".$oObjectSet->Count();
				}
				break;

			case 'core/delete':
				RestUtils::InitTrackingComment($aParams);
				$sClass = RestUtils::GetClass($aParams, 'class');
				$key = RestUtils::GetMandatoryParam($aParams, 'key');
				$bSimulate = RestUtils::GetOptionalParam($aParams, 'simulate', false);

				$oObjectSet = RestUtils::GetObjectSetFromKey($sClass, $key);
				$sTargetClass = $oObjectSet->GetFilter()->GetClass();

				if (UserRights::IsActionAllowed($sTargetClass, UR_ACTION_DELETE) != UR_ALLOWED_YES) {
					$oResult->code = RestResult::UNAUTHORIZED;
					$oResult->message = "The current user does not have enough permissions for deleting data of class $sTargetClass";
				} elseif (UserRights::IsActionAllowed($sTargetClass, UR_ACTION_DELETE) != UR_ALLOWED_YES) {
					$oResult->code = RestResult::UNAUTHORIZED;
					$oResult->message = "The current user does not have enough permissions for massively deleting data of class $sTargetClass";
				} else {
					$aObjects = $oObjectSet->ToArray();
					$this->DeleteObjects($oResult, $aObjects, $bSimulate);
				}
				break;

			case 'core/get_related':
				$oResult = new RestResultWithRelations();
				$sClass = RestUtils::GetClass($aParams, 'class');
				$key = RestUtils::GetMandatoryParam($aParams, 'key');
				$sRelation = RestUtils::GetMandatoryParam($aParams, 'relation');
				$iMaxRecursionDepth = RestUtils::GetOptionalParam($aParams, 'depth', 20 /* = MAX_RECURSION_DEPTH */);
				$sDirection = RestUtils::GetOptionalParam($aParams, 'direction', null);
				$bEnableRedundancy = RestUtils::GetOptionalParam($aParams, 'redundancy', false);
				$bReverse = false;

				if (is_null($sDirection) && ($sRelation == 'depends on')) {
					// Legacy behavior, consider "depends on" as a forward relation
					$sRelation = 'impacts';
					$sDirection = 'up';
					$bReverse = true; // emulate the legacy behavior by returning the edges
				} elseif (is_null($sDirection)) {
					$sDirection = 'down';
				}

				$oObjectSet = RestUtils::GetObjectSetFromKey($sClass, $key);
				if ($sDirection == 'down') {
					$oRelationGraph = $oObjectSet->GetRelatedObjectsDown($sRelation, $iMaxRecursionDepth, $bEnableRedundancy);
				} elseif ($sDirection == 'up') {
					$oRelationGraph = $oObjectSet->GetRelatedObjectsUp($sRelation, $iMaxRecursionDepth, $bEnableRedundancy);
				} else {
					$oResult->code = RestResult::INTERNAL_ERROR;
					$oResult->message = "Invalid value: '$sDirection' for the parameter 'direction'. Valid values are 'up' and 'down'";
					return $oResult;

				}

				if ($bEnableRedundancy) {
					// Remove the redundancy nodes from the output
					$oIterator = new RelationTypeIterator($oRelationGraph, 'Node');
					foreach ($oIterator as $oNode) {
						if ($oNode instanceof RelationRedundancyNode) {
							$oRelationGraph->FilterNode($oNode);
						}
					}
				}

				$aIndexByClass = [];
				$oIterator = new RelationTypeIterator($oRelationGraph);
				foreach ($oIterator as $oElement) {
					if ($oElement instanceof RelationObjectNode) {
						$oObject = $oElement->GetProperty('object');
						if ($oObject) {
							if ($bEnableRedundancy && $sDirection == 'down') {
								// Add only the "reached" objects
								if ($oElement->GetProperty('is_reached')) {
									$aIndexByClass[get_class($oObject)][$oObject->GetKey()] = null;
									$oResult->AddObject(0, '', $oObject);
								}
							} else {
								$aIndexByClass[get_class($oObject)][$oObject->GetKey()] = null;
								$oResult->AddObject(0, '', $oObject);
							}
						}
					} elseif ($oElement instanceof RelationEdge) {
						$oSrcObj = $oElement->GetSourceNode()->GetProperty('object');
						$oDestObj = $oElement->GetSinkNode()->GetProperty('object');
						$sSrcKey = get_class($oSrcObj).'::'.$oSrcObj->GetKey();
						$sDestKey = get_class($oDestObj).'::'.$oDestObj->GetKey();
						if ($bEnableRedundancy) {
							// Add only the edges where both source and destination are "reached"
							if ($oElement->GetSourceNode()->GetProperty('is_reached') && $oElement->GetSinkNode()->GetProperty('is_reached')) {
								if ($bReverse) {
									$oResult->AddRelation($sDestKey, $sSrcKey);
								} else {
									$oResult->AddRelation($sSrcKey, $sDestKey);
								}
							}
						} else {
							if ($bReverse) {
								$oResult->AddRelation($sDestKey, $sSrcKey);
							} else {
								$oResult->AddRelation($sSrcKey, $sDestKey);
							}
						}
					}
				}

				if (count($aIndexByClass) > 0) {
					$aStats = [];
					$aUnauthorizedClasses = [];
					foreach ($aIndexByClass as $sClass => $aIds) {
						if (UserRights::IsActionAllowed($sClass, UR_ACTION_BULK_READ) != UR_ALLOWED_YES) {
							$aUnauthorizedClasses[$sClass] = true;
						}
						$aStats[] = $sClass.'= '.count($aIds);
					}
					if (count($aUnauthorizedClasses) > 0) {
						$sClasses = implode(', ', array_keys($aUnauthorizedClasses));
						$oResult = new RestResult();
						$oResult->code = RestResult::UNAUTHORIZED;
						$oResult->message = "The current user does not have enough permissions for exporting data of class(es): $sClasses";
					} else {
						$oResult->message = "Scope: ".$oObjectSet->Count()."; Related objects: ".implode(', ', $aStats);
					}
				} else {
					$oResult->message = "Nothing found";
				}
				break;

			case 'core/check_credentials':
				$oResult = new RestResult();
				$sUser = RestUtils::GetMandatoryParam($aParams, 'user');
				$sPassword = RestUtils::GetMandatoryParam($aParams, 'password');

				if (UserRights::CheckCredentials($sUser, $sPassword) !== true) {
					$oResult->authorized = false;
				} else {
					$oResult->authorized = true;
				}
				break;

			default:
				// unknown operation: handled at a higher level
		}
		return $oResult;
	}

	public function SanitizeJsonInput(string $sJsonInput): string
	{
		$sSanitizedJsonInput = $sJsonInput;
		$aJsonData = json_decode($sSanitizedJsonInput, true);
		$sOperation = $aJsonData['operation'];

		switch ($sOperation) {
			case 'core/check_credentials':
				if (isset($aJsonData['password'])) {
					$aJsonData['password'] = '*****';
				}
				break;
			case 'core/update':
			case 'core/create':
			default:
				$sClass = $aJsonData['class'];
				if (isset($aJsonData['fields'])) {
					foreach ($aJsonData['fields'] as $sFieldAttCode => $fieldValue) {
						$oAttDef = MetaModel::GetAttributeDef($sClass, $sFieldAttCode);
						$this->SanitizeFieldIfSensitive($aJsonData['fields'], $sFieldAttCode, $fieldValue, $oAttDef);
					}
				}
				break;
		}
		return json_encode($aJsonData, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE);
	}

	/**
	 * Helper for object deletion
	 */
	public function DeleteObjects($oResult, $aObjects, $bSimulate)
	{
		$oDeletionPlan = new DeletionPlan();
		foreach ($aObjects as $oObj) {
			if ($bSimulate) {
				$oObj->CheckToDelete($oDeletionPlan);
			} else {
				$oObj->DBDelete($oDeletionPlan);
			}
		}

		foreach ($oDeletionPlan->ListDeletes() as $sTargetClass => $aDeletes) {
			foreach ($aDeletes as $iId => $aData) {
				$oToDelete = $aData['to_delete'];
				$bAutoDel = (($aData['mode'] == DEL_SILENT) || ($aData['mode'] == DEL_AUTO));
				if (array_key_exists('issue', $aData)) {
					if ($bAutoDel) {
						if (isset($aData['requested_explicitely'])) { // i.e. in the initial list of objects to delete
							$iCode = RestDelete::ISSUE;
							$sPlanned = 'Cannot be deleted: '.$aData['issue'];
						} else {
							$iCode = RestDelete::AUTO_DELETE_ISSUE;
							$sPlanned = 'Should be deleted automatically... but: '.$aData['issue'];
						}
					} else {
						$iCode = RestDelete::REQUEST_EXPLICITELY;
						$sPlanned = 'Must be deleted explicitely... but: '.$aData['issue'];
					}
				} else {
					if ($bAutoDel) {
						if (isset($aData['requested_explicitely'])) {
							$iCode = RestDelete::OK;
							$sPlanned = '';
						} else {
							$iCode = RestDelete::AUTO_DELETE;
							$sPlanned = 'Deleted automatically';
						}
					} else {
						$iCode = RestDelete::REQUEST_EXPLICITELY;
						$sPlanned = 'Must be deleted explicitely';
					}
				}
				$oResult->AddObject($iCode, $sPlanned, $oToDelete);
			}
		}
		foreach ($oDeletionPlan->ListUpdates() as $sRemoteClass => $aToUpdate) {
			foreach ($aToUpdate as $iId => $aData) {
				$oToUpdate = $aData['to_reset'];
				if (array_key_exists('issue', $aData)) {
					$iCode = RestDelete::AUTO_UPDATE_ISSUE;
					$sPlanned = 'Should be updated automatically... but: '.$aData['issue'];
				} else {
					$iCode = RestDelete::AUTO_UPDATE;
					$sPlanned = 'Reset external keys: '.$aData['attributes_list'];
				}
				$oResult->AddObject($iCode, $sPlanned, $oToUpdate);
			}
		}

		if ($oDeletionPlan->FoundStopper()) {
			if ($oDeletionPlan->FoundSecurityIssue()) {
				$iRes = RestResult::UNAUTHORIZED;
				$sRes = 'Deletion not allowed on some objects';
			} elseif ($oDeletionPlan->FoundManualOperation()) {
				$iRes = RestResult::UNSAFE;
				$sRes = 'The deletion requires that other objects be deleted/updated, and those operations must be requested explicitely';
			} else {
				$iRes = RestResult::INTERNAL_ERROR;
				$sRes = 'Some issues have been encountered. See the list of planned changes for more information about the issue(s).';
			}
		} else {
			$iRes = RestResult::OK;
			$sRes = 'Deleted: '.count($aObjects);
			$iIndirect = $oDeletionPlan->GetTargetCount() - count($aObjects);
			if ($iIndirect > 0) {
				$sRes .= ' plus (for DB integrity) '.$iIndirect;
			}
		}
		$oResult->code = $iRes;
		if ($bSimulate) {
			$oResult->message = 'SIMULATING: '.$sRes;
		} else {
			$oResult->message = $sRes;
		}
	}

	/**
	 * @param int $iLimit
	 * @param int $iPage
	 *
	 * @return int Offset for a given page number
	 */
	protected static function getOffsetFromLimitAndPage($iLimit, $iPage)
	{
		return $iLimit * max(0, $iPage - 1);
	}
}

/**
 * Sanitizes sensitive fields on a "json ready" representation of a DBObject
 * Useful for logging purposes
 */
trait SanitizeTrait
{
	/**
	 * Sanitize a field if it is sensitive.
	 *
	 * @param array $fields The fields array
	 * @param string $sFieldAttCode The attribute code
	 * @param mixed $oAttDef The attribute definition
	 * @throws Exception
	 */
	private function SanitizeFieldIfSensitive(array &$fields, string $sFieldAttCode, $fieldValue, $oAttDef): void
	{
		// for simple attribute
		if ($oAttDef instanceof iAttributeNoGroupBy) { // iAttributeNoGroupBy is equivalent to sensitive attribute
			$fields[$sFieldAttCode] = '*****';
			return;
		}
		// for 1-n / n-n relation
		if ($oAttDef instanceof AttributeLinkedSet) {
			foreach ($fieldValue as $i => $aLnkValues) {
				foreach ($aLnkValues as $sLnkAttCode => $sLnkValue) {
					$oLnkAttDef = MetaModel::GetAttributeDef($oAttDef->GetLinkedClass(), $sLnkAttCode);
					if ($oLnkAttDef instanceof iAttributeNoGroupBy) { // 1-n relation
						$fields[$sFieldAttCode][$i][$sLnkAttCode] = '*****';
					} elseif ($oAttDef instanceof AttributeLinkedSetIndirect && $oLnkAttDef instanceof AttributeExternalField) { // for n-n relation
						$oExtKeyAttDef = MetaModel::GetAttributeDef($oLnkAttDef->GetTargetClass(), $oLnkAttDef->GetExtAttCode());
						if ($oExtKeyAttDef instanceof iAttributeNoGroupBy) {
							$fields[$sFieldAttCode][$i][$sLnkAttCode] = '*****';
						}
					}
				}
			}
			return;
		}

		// for external attribute
		if ($oAttDef instanceof AttributeExternalField) {
			$oExtKeyAttDef = MetaModel::GetAttributeDef($oAttDef->GetTargetClass(), $oAttDef->GetExtAttCode());
			if ($oExtKeyAttDef instanceof iAttributeNoGroupBy) {
				$fields[$sFieldAttCode] = '*****';
			}
		}
	}
}
